Worms Programs that seek to move from system to system Making use of various vulnerabilities Other performs other malicious behavior The Internet worm used to be the most famous example Blaster, Slammer, Witty are other worms Can spread very, very rapidly 6

The Internet Worm Created by a graduate student at Cornell in 1988 Released (perhaps accidentally) on the Internet Nov. 2, 1988 Spread rapidly throughout the network 6000 machines infected

How Did the Internet Worm Work? The worm attacked vulnerabilities in Unix 4 BSD variants These vulnerabilities allowed improper execution of remote processes Which allowed the worm to get a foothold on a system And then to spread

The Worm’s Actions Find an uninfected system and infect that one Here’s where it ran into trouble: It re-infected already infected systems Each infection was a new process Caused systems to wedge Did not take intentional malicious actions against infected nodes

Stopping the Worm In essence, required rebooting all infected systems And not bringing them back online until the worm was cleared out Though some sites stayed connected Also, the flaws it exploited had to be patched

Effects of the Worm Around 6000 machines were infected and required substantial disinfecting activities Many, many more machines were brought down or pulled off the net Due to uncertainty about scope and effects of the worm

What Did the Worm Teach Us? The existence of some particular vulnerabilities The costs of interconnection The dangers of being trusting Denial of service is easy Security of hosts is key Logging is important We obviously didn’t learn enough

Code Red A malicious worm that attacked Windows machines Basically used vulnerability in Microsoft IIS servers Became very widely spread and caused a lot of trouble

How Code Red Worked Attempted to connect to TCP port 80 (a web server port) on randomly chosen host If successful, sent HTTP GET request designed to cause a buffer overflow If successful, defaced all web pages requested from web server

More Code Red Actions Periodically, infected hosts tried to find other machines to compromise Triggered a DDoS attack on a fixed IP address at a particular time Actions repeated monthly Possible for Code Red to infect a machine multiple times simultaneously

Code Red Stupidity Bad method used to choose another random host Same random number generator seed to create list of hosts to probe DDoS attack on a particular fixed IP address Merely changing the target’s IP address made the attack ineffective

Code Red II Used smarter random selection of targets Didn’t try to reinfect infected machines Added a Trojan Horse version of Internet Explorer to machine Unless other patches in place, reinfected machine after reboot on login Also, left a backdoor on some machines Didn’t deface web pages or launch DDoS Didn’t turn on periodically

Impact of Code Red and Code Red II Code Red infected over 250,000 machines In combination, estimated infections of over 750,000 machines Code Red II is essentially dead Except for periodic reintroductions of it But Code Red is still out there

Stuxnet Scary worm that popped up in 2010 Targeted at SCADA systems Appears to try to alter industrial processes Targeted nuclear enrichment equipment Apparently particularly Iranian equipment Very sophisticated, very specifically targeted Speculation is built by a government

Where Did Stuxnet Come From? Very sophisticated Speculation is produced by unfriendly nation state(s) New York Times claims White House officials confirmed it (no official confirmation, though) Research suggests SCADA attacks do not need much sophistication, though Non-expert NSS Labs researcher easily broke into Siemans systems Duqu worm might be Stuxnet descendent Appears to be stealing certificates

Worm, Virus, or Trojan Horse? Terms often used interchangeably Trojan horse formally refers to a program containing evil code Only run when user executes it Effect isn’t necessarily infection Viruses seek to infect other programs Worms seek to move from machine to machine

Botnets A collection of compromised machines Under control of a single person Organized using distributed system techniques Used to perform various forms of attacks Usually those requiring lots of power

What Are Botnets Used For? Spam (90% of all email is spam) Distributed denial of service attacks Hosting of pirated content Hosting of phishing sites Harvesting of valuable data From the infected machines Much of their time spent on spreading

Botnet Software Each bot runs some special software Often built from a toolkit Used to control that machine Generally allows downloading of new attack code And upgrades of control software Incorporates some communication method To deliver commands to the bots

Botnet Communications Originally very unsophisticated All bots connected to an IRC channel Commands issued into the channel Starting to use peer technologies Similar to some file sharing systems Peers, superpeers, resiliency mechanisms Conficker’s botnet uses peer techniques Stronger botnet security becoming common Passwords and encryption of traffic Skynet bot communicates over Tor

Botnet Spreading Originally via worms and direct break-in attempts Then through phishing and Trojan horses Conficker used multiple vectors Buffer overflow, through peer networks, password guessing Regardless of details, almost always automated

Characterizing Botnets Most commonly based on size Estimates for Conficker over 5 million Zeus-based botnets got 3.6 million machines in US alone Trend Micro estimates 100 million machines are members of botnets Controlling software also important Other characteristics less examined

Why Are Botnets Hard to Handle? Scale Anonymity Legal and international issues Fundamentally, if a node is known to be a bot, what then? How are we to handle huge numbers of infected nodes?

Approaches to Handling Botnets Clean up the nodes Can’t force people to do it Interfere with botnet operations Difficult and possibly illegal Recent US government approaches here Shun bot nodes But much of their activity is legitimate And no good techniques for doing so

Spyware Software installed on a computer that is meant to gather information On activities of computer’s owner Reported back to owner of spyware Probably violating privacy of the machine’s owner Stealthy behavior critical for spyware Usually designed to be hard to remove

What Is Done With Spyware? Gathering of sensitive data Passwords, credit card numbers, etc. Observations of normal user activities Allowing targeted advertising And possibly more nefarious activities

Where Does Spyware Come From? Usually installed by computer owner Generally unintentionally Certainly without knowledge of the full impact Via vulnerability or deception Can be part of payload of worms Or installed on botnet nodes

Malware Components Malware is becoming sufficiently sophisticated that it has generic components Two examples: Droppers Rootkits

Droppers Very simple piece of code Runs on new victim’s machine Fetches more complex piece of malware from somewhere else Can fetch many different payloads Small, simple, hard to detect

Rootkits Software designed to maintain illicit access to a computer Installed after attacker has gained very privileged access on the system Goal is to ensure continued privileged access By hiding presence of malware By defending against removal

Use of Rootkits Often installed by worms or viruses E.g., the Pandex botnet But Sony installed rootkits on people’s machines via music CDs Generally replaces system components with compromised versions OS components Libraries Drivers

Ongoing Rootkit Behavior Generally offer trapdoors to their installers Usually try hard to conceal themselves And other nefarious activities Conceal files, registry entries, network connections, etc. Also try to make it hard to remove them Sometimes removes others’ rootkits Another trick of the Pandex botnet